A very illuminating article on Eight Epic Failure of Regulating Cryptography and common misunderstanding by government regulators that doesn’t have a wide view on how technology works.
Ignorant government regulators does not understood that strict regulation would have the following drawbacks:
Security market grow, more companies goes to the market, but how many of them are taking seriously what they do?
You know, doing security technology mean that you are personally responsible for the protection of the user’s information. You must make them aware of what they need, exactly what your are doing and which kind of threat model your product protect.
A typical problem of product’s security features is represented by the inability of the user to evaluate the security claims of the product itself.
So there’s a lot companies doing a not-so-ethical marketing of security features, based on the facts that no user will be able to evaluate it.
The previously explained situation reside in the security topic of Snake Oil Encryption, an evolution in the scientific cryptographic environment that let us today use best of breed information protection technologies without having to worry too much about backdoors or insecurities.
Let’s speak about Snake Oil Encryption
Snake Oil Cryptography : In cryptography, snake oil is a term used to describe commercial cryptographic methods and products which are considered bogus or fraudulent. Distinguishing secure cryptography from insecure cryptography can be difficult from the viewpoint of a user. Many cryptographers, such as Bruce Schneier and Phil Zimmermann, undertake to educate the public in how secure cryptography is done, as well as highlighting the misleading marketing of some cryptographic products.
The most referenced crypto security guru, Philip Zimmermann and Bruce Schneier, was the 1st to talk about Snake Oil Encryption:
Snake Oil by Philip Zimmermann
Snake Oil by Bruce Schneier
The Michigan Telecommunications and Technology Law Review also made a very good analysis related to the Security Features of Security Products, SNAKE-OIL SECURITY CLAIMS” THE SYSTEMATIC MISREPRESENTATION OF PRODUCT SECURITY . They explain about the nasty marketing tricks used to tweak users inability to evaluate the security features, including economic and legal responsibility implication.
Several snake oil security product companies does not explain and are not clear about the threat model to which the product apply. Very famous is the sentence of Russ Nelson:
“Remember, crypto without a threat model is like cookies without milk. ….. Cryptography without a threat model is like motherhood without apple pie. Can’t say that enough times. More generally, security without a threat model is by definition going to fail.”
So, how to spot snake oil security products?
Check a guideline of to spot Snake Oil Encryption Products: Snake Oil Warning Signs, Encryption Software to Avoid by Matt Curtin .
You can see this very good Cryptographic Snake Oil Examples by Emility Ratliff (IBM Architect at Linux Security), that tried to make clear example on how to spot Cryptographic Snake Oil.
Here represented the basic guideline from Matt Curtin paper:
By checking that points it’s possible to evaluate how serious an encryption technology or product is.
But all in all how to fix that unethical security approach?
It’s very significative and it would be really useful for each kind of security product category to make some strongly and independent evaluation guideline (like OSSTMM for Penetration testing) , to make this security evaluation process really in the hands of the user.
It would be also very nice to have someone making analysis and evaluation of security product companies, publishing reports about Snake Oil signs.
You know that web2.0 world it’s plenty of leak of any kind (profiling, profiling, profiling) related to Privacy and users starts being concerned about it.
Users continuously download applications without knowing the details of what they do, for example iFart just because are cool, are fun and sometime are useful.
On mobile phones users install from 1000% up to 10.000% more applications than on a PC, and those apps may contain malware or other unexpected functionalities.
Recently infobyte analyzed ubertwitter client and discovered that the client was leaking and sending to their server many personal and sensitive data such as:
- Blackberry PIN
- Phone Number
- Email Address
- Geographic positioning information
Read about UbertTwitter ‘spyware’ features discovery here by infoByte .
It’s plenty of applications leaking private and sensitive information but just nobody have a look at it.
Should mandatory data retention and privacy policies became part of application development and submission guideline for mobile application?
Imho a users must not only be warned about the application capabilities and API usage but also what will do with which kind of information it’s going to handle inside the mobile phone.
Capabilities means authorizing the application to use a certain functionalities, for example to use GeoLocation API, but what the application will do and to who will provide such information once the user have authorized it?
That’s a security profiling level that mobile phone manufacturer does not provide and they should, because it focus on the information and not on the application authorization/permission respect to the usage of device capabilities.
p.s. yes! ok! I agree! This kind of post would require 3-4 pages long discussion as the topic is hot and quite articulated but it’s saturday morning and i gotta go!
In the ’90, closed source and proprietary cryptography was ruling the world.
That’s before open source and scientifically approved encrypted technologies went out as a best practice to do crypto stuff.
I would like to remind when, in 1992, USA along with Israel was, together with switzerland, providing backdoored (proprietary and secret) technologies to Iranian government to tap their communications, cheating them to think that the used solution was secure, making also some consideration on this today in 2010.
That’s called The Crypto AG case, an historical fact involving the United States National Security Agency along with Signal Intelligence Division of Israel Ministry of Defense that are strongly suspected to had made an agreement with the Swiss cryptography producer company Crypto AG.
Basically those entities placed a backdoor in the secure crypto equipment that they provided to Iran to intercept Iranian communications.
Their crypto was based on secret and proprietary encryption algorithms developed by Crypto AG and eventually customized for Iranian government.
You can read some other facts about Crypto AG backdoor related issues:
The demise of global telecommunication security
Breaking codes: an impossible task? By BBC
Der Spiegel Crypto AG (german) article
Now, in 2010, we all know and understand that secret and proprietary crypto does not work.
Just some reference by top worldwide cryptographic experts below:
Secrecy, Security, Obscurity by Bruce Schneier
Just say No to Proprietary cryptographic Algorithms by Network Computing (Mike Fratto)
Security Through Obscurity by Ceria Purdue University
Unlocking the Secrets of Crypto: Cryptography, Encryption and Cryptology explained by Symantec
Time change the way things are approached.
I like very much the famous Philip Zimmermann assertion:
“Cryptography used to be an obscure science, of little relevance to everyday life. Historically, it always had a special role in military and diplomatic communications. But in the Information Age, cryptography is about political power, and in particular, about the power relationship between a government and its people. It is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone.”
Any scientist today accept and approve the Kerckhoffs’ Principle that in 1883 in the Cryptographie Militaire paper stated:
The security of a cryptosystem should not depend on keeping the algorithm secret, but only on keeping the numeric key secret.
It’s absolutely clear that the best practice for doing cryptography today obbly any serious person to do open cryptography, subject to public review and that follow the Kerckhoff principle.
So, what we should think about closed source, proprietary cryptography that’s based on security trough obscurity concepts?
I was EXTREMELY astonished when TODAY, in 2010, in the age of information society i read some paper on Crypto AG website.
I invite all to read the Crypto AG security paper called Sophisticated Security Architecture designed by Crypto AG of which you can get a significant excerpt below:
The design of this architecture allows Crypto AG to provide a secret proprietary algorithm that can be specified for each customer to assure the perfect degree of cryptographic security and optimum support for the customer’s security policy. In turn, the Security Architecture gives you the influence you need to be fully independent in respect of your encryption solution. You can determine all areas that are covered by cryptography and verify how the algorithm works.The original secret proprietary algorithm of Crypto AG is the foundation of the Security Architecture.
I have to say that their architecture is absolutely good from TLC point of view. Also they have done a very good job in making the design of the overall architecture in order to make a tamper-proof resistant crypto system by using dedicated crypto processor.
However there is still something missing:
The overall cryptographic concept is misleading, based on wrong encryption concepts.
You may think that i am a troll telling this, but given the history of Crypto AG and given the fact that all the scientific and security community does not approve security trough obscurity concepts, it would legitimate to ask ourself:
Hey, i think that they have very depth knowledge on telecommunication and security, but given that the science tell us not to follow the secrecy of algorithms, i really have serious doubt on why they are still providing proprietary encryption and does not move to standard solutions (eventually with some kind of custom enhancement).
The cyber conflicts are really reaching a point where war and cyberwar merge together.
NATO countries have the right to use the force against attacks on computer networks.
I like geopolitic and i am following carefully iran issues.
I went to National Iranian Oil Company website and have seen “Exploration & Production” section where are listed all the companies and their country of origin that are allowed to make Exploration of oil in Iran.
On that list we find the list of countries along with the data of signing of exploration agreement:
Those countries’s oil companies are allowed to do oil extraction in Iran and i would like to point out that Iran is the 2nd world Oil Reserve just after Saudi Arabia.
As you can see there’s NO USA company doing extraction.
Of European Countries the only one doing business with IRAN are:
While of the well known non-US-simpatizing countries, the one doing Oil business with Iran are:
Don’t missing some Asian involvement.
As you can see Iran is doing Oil business with most big south America and Far Asia countries, with some little exception in Europe for what apply to Norway, Italy and Spain.
To me it sounds that those European countries are going to face serious trouble whether they will accept and subscribe UN sanction against Iran.
Or some of them, like Italy, are protected by the strenghtening cooperation they are doing with Russia on Energy matters?
Well, i don’t know how things will end up, but it’s possible the most hypocrit countries like the European ones doing business in Iran while applying Sanctions will be the only European winning in the international competition for Iran Oil (Unless France did not drop a nuclear bomb on theran ;) ).
When looking at facts and figures about globalized world, the index of economic freedom is a nice tool to make proper considerations.
Do you use your iphone, google phone, blackberry or nokia smartphone with cool built-in GPS?
Well law enforcement can now know even better where you are, at any time, even with historical data and much better than BTS based location systems.
Sprint has given 8 million times customer’s GPS information to law enforcement (sound something like a semi-automatic request).
Read here.
Nice extract is:
Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.
The informations was provided at wiretapping and interception industry conference ISS WASH in Washingtown.
If you want see directly the video:
Sprint: 50 million customers, 8 million law enforcement GPS requests in 1 year from Christopher Soghoian on Vimeo.
Then you know that “big brother” is watching you only because you let him to watch you.
It seems that in Turkey the Telecommunication Directorate (TIB), in charge of managing the wiretapping, intercepted the president of the Judge and Prosecutors Associations.
Prosecutors and Judge usually does not like being tapped, and so the 1st High Criminal Court ordered an audit of all the recording done by the TIB since 2006.
Read more here.
Hi all,
in the past few years i saw an incredible increase in the amount of “public” news about espionage against different western countries and usually coming from far-east, typically china.
China want to be the largest economic power within 2020 and it’s following a grow rate of 8% per year. Their “controlled” capitalism without the inefficiency of the democracy it’s something that’s beating the western countries, less efficient because democratic.
China, in order to quickly grow it’s R&D capacity make an extensive use of espionage, it’s estimated that Chinese government have more than 1.000.000 intelligence agents worldwide.
And they know how to do espionage, their “spy” does not cost that much like western countries’ spy, less guarantee, less payments.
Also they are using cyber espionage as an important source of information and competitiveness against western countries companies and government R&D results. China is so un-cooperative that now also western countries spying each other, or even Russian, use chinese internet space as the “start base” for their internet based espionage activities.
I knew of a USA phisher that used to build it’s own trojan with a chinese version of Windows Xp with a chinese version of the Microsoft Visual Studio development suite. Why? For information deception, in order to tweak the forensics effort of the FBI analyst and have them think that it’s own attacks was coming from China!
Any investigators that see an attack coming from china typically think “oh shit, it comes from china, we’re lost”, and now even cybercrime use China like a far-west, untouchable base for cyber attacks.
Back tracing attacks coming from china it’s like trying to find out what’s inside a black hole, it’s a one-way trip and no information comes back.
To give better an idea of what i am speaking about just get the following list of reference:
Germany accuses China of industrial espionage
Chinese trainee goes on trial as French industry fears espionage
U.S. Vulnerable to Chinese Cyber Espionage
Massive Chinese Espionage Network
Cyber Spy Network Also Targetting Finland
How do the western countries defend themself?
That’s a nice points to speak about because there’s no simple way to defend against espionage other than considering it like a serious and concrete threat.
Governments should be able to get more understanding that their approach to informations systems and information security policy must not only exists on paper but also be applied everywhere in order to be effective. Governments are complex organizations and only a few are enough smart to be able to quickly and efficiently make security policies really be implemented organization-wide. But they are trying to, especially the most competitive ones like USA, UK and Germany .
Companies instead should acquire awareness of the problem that is present, available, concrete as concrete is the chance that someone enter into the offices to steal good (not for espionage). For that reason companies place alarm systems, access control with badge, camera monitoring systems.
But espionage does not mean fighting and protecting against poor thieves but instead against more sophisticated, either technically and socially, attacker that can use old school intelligence techniques always effective. Getting employed and stealing information while working. Simulate to be customers to establish a link trust with a salesman and then find a reason to let him execute some malicious software “hey, but my modellization software demostrate that your model used to measure the performance of your product it’s not the one you advertised. Check it out, see your self with the software we used!”. What do you think the salesman will do in order to catch the prospect customer?
Only awareness, knowledge about the issues can make such risk to be considered seriously.
Governments should provide financing to industrial associations, chamber of commerces and similar agencies in order to make such awareness national wide and let entrepreneurs became conscious and became prepared to recognize, identify and stop espionage activities.
The law perspective
Governments should strenghten their laws in order to be able have the required rights tools to enforce the protection from espionage.
Look at the analysis made by my smart cousin Angelo Pietrosanti on espionage “Is the European R&D Equally protected from espionage as in the US R&D?”
| Country | Civil Sanction against trade secret threat | Criminal Sanction against trade secret threat | Year of last modificationg |
|---|---|---|---|
| USA | 5 mln $ | up to 10(for domenistic) or 15 (for foreigners) Years of Jail | 1996 (Economic Espionage Act) |
| Germany | YES | up to 3 Years of Jail | 1986 |
| France | 0.03 mln $ | up to 2 Years of Jail | 1992 |
| UK | YES | NO | 1984 |
| Italy | YES | up to 2 Years of Jail | 1942 |
| Switzerland | YES | up to 3 Years of Jail | 1986 |
| Finland | YES | up to 3 Years of Jail | 1990 |
| Sweden | YES | up to 6 Years of Jail | 1990 |
| The Netherlands | YES | up to 4 Years of Jail | 1992 |
What this table show?
Maybe some european policy on this could help.
In conclusion
We are in an economic war where the winner is not the one having more forces, but the one being more technologically advanced, and economically clever.
Chinese are demonstrating to be enough aggressive and clever, will the western countries be able to react both on the defense and the attack in this war?
The intelligence strength is increasing everywhere… also in Switzerland that had a well known privacy protection approach!
Read the WikiLeaks Article
Nice to read about Global Trends 2025 from United States National Intelligence Council.
 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |